Initial AMD Technical Assessment of CTS Labs Research
Click here to post a comment for Initial AMD Technical Assessment of CTS Labs Research on our message forum
Fox2232
Well written AMD. Especially clearing distance from Spectre/Meltdown.
When CT Slabs wrote that those are not fixable, they knew one thing... To put disclaimer that their results are their opinions and may be wrong.
Zeka
Very professional response from AMD. Good job
This is so so low... Such dirty tactics, investing in lies and deceit instead of making better and affordable products, and competing fairly.
I salute AMD, if it wasn't for them, we'd be still using 32bit single core processors. Intel, shame on you. I will never ever buy any of your MBs or processors, unless you change how you do business
Spider4423
Well since this was a aggressive attack on AMD and they needed to make the ant look like an elephant. Repercussions were expected.
Hopefully this type of behavior doesn't become a trend.
Kaarme
It's sad AMD even needs to respond to the trolls who were only interested in bringing down the stock for short selling. It wouldn't surprise me if that CTS Labs had been taken down by now, and the dudes behind it were already looking for their next victim, ready to found a new whatever cover company for the purpose.
RzrTrek
CTS labs may have been quick to jump the gun, but at least something good came out of it.
gianluca
If I were AMD I would use my lawyers too, not just the engineers.
Considering the amount of money involved in this industry and the fact that even a small lie or a wrong or misleading statement/assessment can cause damages for millions (when not billions), I wouldn't be surprised if this story will have legal consequences.
Silva
"Method: Attacker requires Administrative access."
Top kek.
fredgml7
Just as i expected. Nothing to really worry about here.
Prince Valiant
A hearty thanks to Hilbert for not being tempted to constantly throw fud about this for clicks π.
Nice to see that all of this is patchable and nothing is architecture related.
schmidtbag
Which is...?
I don't know anything positive that came out of this, especially when you consider their approach. All of the flaws they discovered were effectively non-issues. So yeah, patching these things is good and all, but they didn't need to attract anyone's attention. All that came of this was FUD, which we have more than enough of from any major company these days.
AMD could've done absolutely nothing about this and I'm sure nobody would've been affected. But, they sort of have an obligation to address these "vulnerabilities" brought by CTSL
Prince Valiant
AMD got security research done for free π?
AsiJu
AMD professionally "defused" the situation by calmly and collectively responding. Very nice work.
And, this was already mentioned above but I'll quote it anyway from the response:
"Itβs important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.
Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."
I said in another thread that should the above happen, possible exploit vectors are the least of your worries.
waltc3
It's sad that seemingly everything that appears on the Internet, if not fake news, is given a level of credibility completely undeserved. To sum up from the company hired by "CTS" to supposedly verify their blatantly ignorant, financially motivated claims:
There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers (see https://www.usenix.org/system/files/1401_08-12_mickens.pdf, Figure 1)
These types of vulnerabilities should not surprise any security researchers; similar flaws have been found in other embedded systems that have attempted to implement security features. They are the result of simple programming flaws, unclear security boundaries, and insufficient security testing. In contrast, the recent Meltdown and Spectre flaws required previously unknown techniques and novel research advances to discover and exploit.
I think CTS had best have written its own obituary as opposed to AMD's....;) This would be a nice undertaking for the SEC.
Rich_Guy
so AMDs confirmed it, and are going to start patching within weeks, lol.
TLD LARS
Yes they confirmed it because you can attack the computer if you have admin rights, but if you have admin rights anyway you could just attack windows itself and not limit your attack to AMD only.
I am guessing here, but i think that Asus and Asrock is now busy applying the AMD fixes to the Asmedia chips installed on many Asus and Asrock Intel boards.
Many of these attacks could effect Intel also, if you have the skills it should be possible to mod a Intel bios, to compromise a Intel system.
They managed to install a 8000 i3 CPU in a 100 series chipset motherboard by modding the bios, so modding to compromise a system should be possible.
Fox2232
Intel's IME was successfully modified/disabled... That's bigger than just changing microcode of one CPU series for another.
tsunami231
I said it once i will say it again social media site are bad stupid people like to out security flaws there and shit tend to hit the fan when that happens. istead of telling the right people and them deal with it and keeping silent about till then, people and other companys just want there name in news and time in the spotline, reguardless to the damage they cause.
I probably need another bios now cause quite few of my board has a asmedia chip on it too and my current board has a 3.1usb a and 3.1 usb c port that use asmedia
Reddoguk
It's just like someone else sitting at your computer may delete stuff if you give them full control. Or if hackers are already in the door they can do many things including doing nothing but spying on you, which i find more serious than some malware spreader.
AsiJu
Also "funny" that the results were published less than 24 hrs after contacting AMD...
looks like they did that so they can claim to have done the "right thing" by contacting AMD first, only.
Spectre and Meltdown were kept under wraps for what, 6 months? To give Intel, AMD, ... time to investigate and prevent exploits meanwhile.
Really hope this doesn't become a trend but now that it's been done once...
Fox2232
Let's be modern, We Have To Blame Russia. We Must Be Sure that They Want to Promote their Baikal Chips.
